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#define NAPCMDLOGINLENGTH 128 /* bytes*/ 

#define NAPCMDNEWADDRLENGTH 64 /* (username + 17) bytes */ 

/* These servers are the responses to a DNS lookup of "server.napster.com" */ 
5 #define NAP NUM SERVERS 6 

static int sNapServerTable[NAP__NUM_SERVERS] = { 
0x407c2910, /* IP 64.124.41.16 */ 
0x407c2911, /* IP 64.124.41.17 */ 
0x407c2912, /* IP 64.124.41.18 */ 
10 0x407c2913, /* IP 64.124.41.19 */ 

0xd0b8d8de, /* IP 208.184.216.222 */ 
0xd0b8d8df, /* IP 208.184.216.223 */ 

}; 

15 /* These are commonly used Napster port numbers */ 
#define NAP_NUM_INIT_PORTS 1 

static int sNapImtPortTable[^AP_NUM_INIT_PORTS] = { 8875 } ; 
#define NAPNUMCMDPORTS 1 

static int sNapCmdPortTable[NAP_NUM_CMD_PORTS] = { 7777 } ; 

20 

/* Note: the services table already has an entry for 8888 */ 

/* Note that Napster 2.0 Beta 5 also used ports 4444, 5555, and 6666 */ 

#define NAP_NUM_DATA_PORTS 2 

static int sNapDataPortTable[NAPJSfUM_DATA_PORTS] = { 6688, 6700 } ; 

/* Note: the services table already has an entry for 6699 */ 
napFirstLook() { 

/* Temp flags */ 
30 BOOL probablyNapInit = FALSE; 

char*dataStart ; /* The start of the payload data unit */ 

UINT16cmdLength; 

UINT16cmdType; 

struct napFlowListData curFlow ; 
35 struct napFlowListData *savedFlow ; 

NessFlowPtr nf ; 

SIDE sidel, side2 ; 

int port2 ; 

int addr2 ; 

40 int i ; 

/* If this is a TCP flow then check to see if it is this Application */ 
if (ipf->tcb) { 

45 /* Set shortcuts */ 

dataStart = ipf->header.dataStart ; 

nf = nessFlowFromlPF(ipf) ; 

sidel = bcb_direction(ipf->bcb); 

side2 = (sidel ?0: 1); 
50 port2 = nf->conn.port[side2]; 

addr2 = nf->conn.addr [side2] ; 

/* Look for connections to server.napster.com */ 

55 if(rsp=l){ 
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/* Check known port numbers */ 
for (i=0; i<NAP_NUM INIT PORTS; i++) { 
if (port2 = sNapInitPortTable[i]) { 
probablyNapInit - TRUE ; 
5 break ; 

} 

} 

/* Check known addresses */ 
10 if (IprobablyNapInit) { 

for (i=0; i<NAP_NUM_SERVERS; i++) { 
if (addr2 = sNapServerTable[i]) { 
probablyNapInit = TRUE ; 
break ; 

15 } 

} 

} 

if (probablyNapInit) { 
20 debugBlurt( H Detected Napster Server"); 



/* Try to dig out the redirection */ 

napParseInitialConnection( ipf->header.dataLen, dataStart) ; 
return SVC NAP DOT: 



} 



/* Inspect the first 5 packets for Napster, then give up */ 
if((req + rsp)<=5) { 

/* Look for Napster Login */ 



/* This is a safety net in case we missed the Init traffic */ 
/* Anything on these ports will be classified as Napster-Cmd 
35 * even though they are not registered to Napster. */ 

for (i=0; i<NAP_NUM__CMD_PORTS; i++) { 
if (port2 = sNapCmdPortTablep]) { 
return SVC_NAP_CMD ; 

40 } 

} 

/* Otherwise inspect the flow for things that look like 
Napster commands */ 
45 if (ipf->header.dataLen >= 4) { 

/* If the first two bytes contain the length of the packet 
minus 4 bytes, then check for a login 'type* value */ 
/* Note: The fields are not in network byte order, they are 
50 in little-endian form. */ 

cmdLength - (UINT16)((dataStart[l] « 8) + dataStart[0]) ; 

if (cmdLength — (ipf->header.dataLen - 4) ) { 

55 

/* Check for a known login 'type' */ 
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} 

10 } 



cmdType = (UINT16)((dataStart[3] « 8) + dataStart[2]) ; 

/* Currently there are two login messages, types 2 and 6 */ 

if (((cmdType = 2) || (cmdType == 6)) && 

(napParseCmdLogin(ipf, cmdLength, (dataStart+4)))) { 
debugBlurt("Detected a Napster-ish login "); 
return SVC_NAP CMD ; 

} 



/* Look for raw Napster Data flows */ 

/* 

15 * Anything on these ports will be classified as Napster-Data 

* even though they are not registered to Napster. 
*/ 

for (i=0; i<NAP__NUM_DATA_PORTS; i++) { 
if (port2 = sNapDataPortTable[i]) { 
20 return SVC_NAP_DATA ; 

} 

} 

/* Otherwise inspect the flow for things that look like 
25 Napster downloads or uploads */ 

/* If data length is 1 byte and that byte is the ASCII " 1 " 

then check the response in the next packet */ 
if ((ipf->header.dataLen = 1) && 
(*ipf->header.dataStart = ' 1 ')) { 

30 

/* Save this flow in a list of potential Napster flows */ 
if (!(savedFlow = 

(struct napFlowListData *)kmalloc( 

sizeof(struct napFlowListData), MJNESS))) { 
35 infoO("Unable to save Napster-Data info"); 

/* Bail out because we're out of memory */ 
return S VC_UNKNOWN ; 

} 

40 savedFlow->connBlk - ipf->tcb ; 

savedFlow->connSeq = ipf->tcb->connSeq ; 
nessListAdd( sFlowList, savedFlow ) ; 
return MORE JVIAGIC ; 

} 

45 

/* If the response contains the single word "GET" or "SEND" 

then this is probably Napster data (upload/download) */ 
if ( ((ipf->header.dataLen = 3) && (dataStart[0] = f G') && 

(dataStart[l]='E')&& 

50 (dataStart[2]=T)) || 

((ipf->header.dataLen = 4) && (dataStart[0] = f S f ) && 

(dataStart[l]= , E')&& 
(dataStart[2] = TsT') && 

55 (dataStart[3] = 'D f )) ) { 
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curFlow.connBlk = ipf->tcb ; 
curFlow.connSeq = ipf->tcb->connSeq ; 
savedFlow = (struct napFlowListData *) 
5 (nessListLookup( sFlowList, &curFlow )) ; 

/* If this flow is in the list of suspected Napster's 

then we probably have Napster Data traffic. */ 
if (savedFlow) { 
1 0 return S VCNAPJD ATA ; 

} 



15 



45 



50 



/* */ 

} 

} 

/* If we make it to here then we did not recognize the traffic */ 
return SVC UNKNOWN: 



20 } 



/* 

* Parse the Napster Command flow for download requests. 
25 */ 

napParseFlow ( ) { 

char *dataStart ; /* The start of the payload data unit */ 
UINT16cmdLength; 
30 UINT16cmdType; 

whereStr( "napParseFlow"); 
debugBlurt("Parsing Napster-Cmd flow"); 

35 if ( ! gNapCmdParsingEnabled) { 

return FALSE ; 

} 

debugAssert(ipf->ucb || ipf->tcb); 



40 if(ipf->tcb) { 



/* Look for Napster commands */ 
if (ipf->header.dataLen >= 4) { 

dataStart = ipf->header.dataStart ; 

/* If the first two bytes contain the length of the packet 
minus 4 bytes, then check for a resonable type value */ 

/* Note: The fields are not in network byte order, they are 
in little-endian form, so we can't use ntoh(). */ 

cmdLength = (UINT16) ((((UINT16)dataStart[l] « 8) & OxffOO) | 

((UINT16)dataStart[0] & OxOOff)) ; 



/* Check for a known 'type' */ 
5 5 cmdType - (UINT 1 6) ((((UINT1 6)dataStart[3] « 8) & OxffOO) | 

((UINT16)dataStart[2] & OxOOff)) : 
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if (cmdLength = (ipf->header.dataLen - 4) ) { 

/* Currently the known command types are from 0 to 910, 
5 but I'm allowing some room to grow */ 

if(cmdType<5000) { 

napParseCmd( ipf, cmdLength, cmdType., (dataStart + 4)) ; 

} 

} 

10 } 

} 

/* Peek at this flow for as long as it exists. */ 
return TRUE ; 

} 

15 

/* 

* The first thing the Napster client does when it starts is make a connection 

* to the napster.com site where it is redierected to a server farm. 
20 */ 

BOOL 

napParseImtialConnection( UINT16 len, char *dataStart ) { 

/* The initial connection just contains an IP address and a port number. 
25 ie. 208.184.216.187:7777 terminated by an ascii newline (OxOA) and 

a null terminator (0x00) (maximum of 23 chars) */ 

EP ADDR serverAddr ; 

char*portString ; 

UINT16portNumber ; 
30 BOOL ret; 

int i; 

whereStr( M napParseInitialConnection"); 

35 portString = dataStart ; 

serverAddr = 0 ; 
portNumber = 0 ; 
ret = FALSE ; 

40 /* If it's too long then something is wrong, bail out */ 

if (len > 25) { 

return FALSE ; 

} 

45 for (i=0;i<len;i++) { 

if (dataStartp] = ':') { 
dataStartp] - '\0' ; 

serverAddr = inet_addr_in_host order( dataStart ) ; 
dataStartp] = V ; 
50 portString = &(dataStart[i+ 1]) ; 

} 

if (dataStartp] = V) { 
dataStartp] = '\0 f ; 

ret = napParsePort( portString, &portNumber ) ; 
55 dataStartp] = V ; 

break ; 
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} 

} 

if (serverAddr && ret && portNumber) { 

5 

/* Remember this future flow */ 

if (nessRememberRedirection(serverAddr, portNumber, TCPPTCL, 
SVC_NAP_CMD)) { 
debugBlurt3( M Remembering: 0x%x, %d, %d is Napster", serverAddr, portNumber, 
10 SVC NAP CMD); 

} 

else { 

debugBlurt("DEBUG: failed to remember redirection"); 

} 

15 return TRUE; 

} 

return FALSE ; 

} 

20 

/* 

* Once the client establishes a connection to the database server, it 

* interacts via a mesage typed protocol Each message begins with a 

* 2 byte length, then a 2 byte type, then the data. This function 
25 * directs the data parsing based on the message type code. 

* Note: there can be more than one message in the TCP packet and the 

* messages can cross packet boundaries, but this code only looks at 

* the first message, and split messages are not processed. 
*/ 

30 BOOL 

napParseCmd( IPF_INFO_PTR ipf, UINT16 cmdLength, U1NT16 cmdType, char *cmdDataStart) 

{ 

BOOL ret ; 

3 5 whereSrr("napParseCmd"); 

switch (cmdType) { 
case 2: 
case 6: 

40 debugBlurtl ("Napster Login command: %d", cmdType ); 

ret = napParseCmdLbgin( ipf, cmdLength, cmdDataStart ) ; 
break ; 
case 216: 

debugBlurtl ("Napster Search command %d", cmdType ); 
45 ret = napParseCmdNewAddr( cmdLength, cmdDataStart ) ; 

break ; 
case 204: 
case 501: 

debugBlurtl ("Napster Download/Upload command %d", cmdType ); 
50 ret = napParseCmdNewAddr( cmdLength, cmdDataStart ) ; 

break ; 
case 300: 
case 703: 

debugBlurtl ("Napster Set Port command %d", cmdType ); 
55 ret = napParseCmdNewPort( ipf, cmdLength, cmdDataStart ) ; 

break ; 
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case 901: 

debugBlurtl ("Napster Listen Test command %d", cmdType ); 
ret = napParseCmdNewPort( ipf, cmdLength, cmdDataStart ) ; 
break ; 
default: 

ret -FALSE; 



10 } 



} 

return ret ; 



/* 

* The client login in message format is: 
15 * <username> <password> <port> "<client-info>" <link-type> 

*/ 

BOOL 

napParseCmdLogin( IPF INFO PTR ipf, UINT16 cmdLength, char *cmdDataStart ) { 

20 charcopyString[NAP_CMD_LOGIN_LENGTH]; 
char *copyStringKmem ; 

char ^marker; 
char *userString ; 

char *passString ; 

25 char *portString ; 

UINT16 portNumber ; 
NessFlowPtr nf ; 
SIDE sside, dside; 
unsigned long saddr; 



whereStr( M napParseCmdLogin"); 



copyStringKmem = NULL; 
if (cmdLength < NAP_C3MD_LOGIN_LENGTH) { 
35 memcpy(copyString, cmdDataStart, cmdLength) ; 

/* Must be null terrninated for strtok_r */ 
copyString[cmdLength] = 0; 

40 userString = strtok_r( copyString, " M ? &marker); 

passString = strtok_r( NULL, " &marker); 
portString = strtok_r( NULL, " &marker); 
} else { 

45 /* cmdLength will be less than a packet in size */ 

if (!(copyStringKmem = (char *)kmalloc( cmdLength + 1, M_NESS))) { 

/* Bail out because we're out of memory */ 
return FALSE ; 

50 } 

memcpy( copyStringKmem, cmdDataStart, cmdLength ) ; 

/* Must be null terminated for strtok_r */ 
copyStringKrnemfcmdLength] = 0 ; 
55 userString = strtok_r( copyStringKmem, " &marker) ; 

passString - strtok_r( NULL, " &marker) ; 
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portString = strtok_r( NULL, " ", &marker) ; 

} 

/* Convert the port string into an integer */ 
5 if ( portString && napParsePort( portString, &portNumber )) { 

/* Now we can set some associative rememberance */ 

/* If the port number is zero (which means that this client is 

behind a firewall) then there is no need to remember it */ 
10 if (portNumber) { 

nf = nessFlowFromlPF(ipf) ; 

sside = bcb_direction(ipf->bcb) ; 

dside = (sside?0: 1); 

saddr = nf->conn.addr[dside] ; 

15 

/* Remember this pending flow */ 

if (nessRememberDependantRedirection(saddr, portNumber, TCP_PTCL, 
SVC_NAP_DATA, nf)) { 
debugBlurt3("Remembering Dependant Flow: 0x%x, %d, %d is Napster-Data", 
20 saddr, portNumber, TCP_PTCL); 

} 

else { 

debugBlurt("DEBUG: failed to remember redirection"); 

} 

25 } 

if (copyStringKmem) kfree( copyS tringKmem ) ; 
return TRUE; 

} 

if (copyStringKmem) kfree( copyStringKmem ) ; 
30 return FALSE ; 



/* 

35 * The download messages are of the form: 
* <username> <ip> <port> ... 
*/ 

BOOL 

napParseCmdNewAddr( UINT16 cmdLength, char *cmdDataStart ) { 

40 

charcopyString[NAP_CMD_NEWADDR_LENGTH]; 
char *copyStringKmem ; 

char *marker ; 

char *userString ; 

45 char *addrString ; 

char *portString ; 

UINT16 portNumber ; 
IP ADDR peerAddr ; 

50 whereStr("napParseCmdNewAddr"); 

copyStringKmem = NULL; 

/* 

55 * Look at the first NAPCMDNEWADDRLENGTH bytes of the command. 

* Considering that we're only interested in the first three fields 
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* of the command and that the <ip> and <port> pieces will only consume 

* a maximum of 17 bytes, including white space, then we only need 

* to account for a big username length. If it looks like the 

* username is so big that we may truncate the ip addr or port number, 

* then we must use kmalloc to correctly parse the command. 
*/ 

/* cmdLength will be less than a packet in size */ 

memcpy(copyString ? cmdDataStart, NAP CMD NEWADDR LENGTH ) ; 

/* Must be null terminated for strtokj */ 
copyString[NAP_CMD_NEWADDR_LENGTH-l] = 0 ; 
userString - strtok_r( copyString, " &marker) ; 



1 5 /* Check to see if the username was a resonable length */ 

if ((marker - copyString) < (NAP CMD NEWADDR LENGTH - 17)) { 

/* If username is okay, then get the remaining pieces */ 
addrString = strtok_r( NULL, " &marker) ; 
20 portString = strtok_r( NULL, " &marker) ; 

} 



/* Otherwise, it is an obnoxiously long username and we must use kmalloc */ 
else { 

/* cmdLength will be less than a packet in size */ 

if (!(copyStringKmem = (char *)kmalloc( cmdLength + 1, M_NESS))) { 



/* Bail out because we're out of memory */ 
30 return FALSE; 

} 

memcpy( copyStringKmem, cmdDataStart, cmdLength ) ; 

/* Must be null terminated for strtok r */ 
3 5 copyStringKmem[cmdLength] = 0 ; 

marker = NULL ; 

userString = strtok_r( copyStringKmem, " ", &marker) ; 
addrString - strtok_r( NULL, " &marker) ; 
portString = strtok_r( NULL, " ", &marker) ; 

40 } 

/* Convert the port string into an integer */ 

if ( addrString && portString && napParsePort(portString, &portNumber) ) { 

45 /* Convert the address string to an EPADDR */ 

peerAddr = (UINT32)strtoul(addrString, (char **)0, 10) ; 



if (peerAddr !=ULONG_MAX) { 
peerAddr = rev4(peerAddr) ; 

/* Since this is a specific download command that will happen 

right now, we can use the regular rememberance */- 
if (peerAddr && portNumber) { 

55 /* Remember this future flow */ 

if (nessRememberRedirection(peerAddr, portNumber, TCP_PTCL, 
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SVCNAP_DATA)) { 
debugBlurt3("Remembering: 0x%x, %d, %d is Napster-Data", peerAddr, 
portNumber, SVC_NAP_DATA); 

} 

5 else { 

debugBlurt( H DEBUG: failed to remember redirection"); 

} 

} 

10 if (copyStringKmem) kfree( copyStringKmem ) ; 

return TRUE; 

} 

if (copyStringKmem) kfree( copyStringKmem ) ; 
return FALSE; 

15 } 



/* 

* Some messages change or add port numbers and just contain the number: 
20 * <port> 
*/ 

BOOL 

napParseCmdNewPort( IPF_INFO_PTR ipf, UINT16 cmdLength, char *cmdDataStart ) { 

25 UINT16 portNumber; 

NessFlowPtrnf; 
SIDE sside, dside; 
unsigned long saddr; 

3 0 whereStr("napParseCmdNewPort"); 

/* Convert the port string into an integer */ 

if ( napParsePort( cmdDataStart, &portNumber ) && portNumber) { 



35 /* Now we can set some associative rememberance */ 

nf = nessFlowFromlPF(ipf) ; 
sside = bcb_direcrion(ipf->bcb) ; 
dside - (sside ? 0 : 1) ; 
saddr = nf->conn.addr[dside] ; 



debugBlurt2("PEND!NG FLOW : client Ox%x, port %d" 5 
saddr, portNumber ); 



/* Remember this pending flow */ 
45 if (nessRememberDependantRedirection(saddr ? portNumber, TCP_PTCL, 

SVC_NAP_DATA, nf)) { 

debugBlurt3( n Remembering Dependant Flow: 0x%x, %d, %d is Napster-Data", 
saddr, portNumber, TCP PTCL); 

50 } else { 

debugBlurt("DEBUG: failed to remember redirection"); 

return TRUE; 

} 

55 return FALSE ; 
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